This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Best Practices for Application Policies?
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: Best Practices for Application Policies?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Best Practices for Application Policies?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-07-2009 12:31 PM
I was wondering if there is a best practices document for setting up a policy to control particular applications. I've already dug through the Skype tech document which tells to enable unknown applications. Are there any other applications that work better or require unknown applications to be enabled? To take it further, is there an application dependency list available? For example when creating a policy allowing bittorrent traffic out, the firewall prompts during the verification process that web-browsing should be enabled for bittorrent. Is there a document that will say “X application requires Y application to work correctly”. I would prefer not to find out during the verification process.
- FJ
Labels:
- Labels:
-
App-ID
19 REPLIES 19
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-09-2009 02:40 PM
hello Frank,
currently we do not have such a document as this, but this a great idea. I am currently pursuing the possibilities of producing such a document. This document would need to be live as we are continually updating application signatures with each content release.
Also a case has been created for this issue for tracking. It is case 7836. You can call into support and refer to it to get updates.
Thank you,
Stephen
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-13-2009 10:27 PM
As a clarification, from our testing with current software and content, we no longer see any issue with Skype call quality when not allowing unknown traffic. We will work to get the tech note updated.
On the general topic of application dependencies, the system will show you these dependencies at the time of commit. We are looking at enhancing the policy workflow to make those dependencies more apparent when adding applications to a rule. Hopefully this will feel more natural than the current warnings. Let us know if you have thoughts about better ways to highlight these dependencies.
Mike
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-14-2009 08:21 AM
Thanks for getting back to me. For the time being, do you have a list of applications that either require or benefit from allowing unknown-tcp, *-udp, *-p2p? Or in other terms, would creating a policy which allows the "unknown group" traverse the firewall, would it lead to the firewall identifying more applications? Are there any applications that cannot be identified without the "unknown group" being enabled? I need to make a case to my manager to whether or not we should allow the "unknown group" and having a list of applications that benefit from it would help my case.
As far as application dependencies, I would prefer to find out either while I'm editing the security rule base or beforehand from a document. I don't care to wait during the commit process. For my team and I its a personal preference.
I appreciate your help on this.
Thanks,
FJ
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-14-2009 08:36 AM
The key with unknown-tcp and unknown-udp is that they indicate that we
are seeing an application we do not recognize. If you have an
application in use that falls into this bucket, then allowing unknown-
tcp or unknown-udp is important (assuming it is an application you
want going in and out). There shouldn't be any applications that we
have App-IDs for that benefit from allowing unknown traffic. For the
applications that we do not recognize, you have a few options. You can
submit the application to us and we will add an App-ID for it. If it
is an HTTP-based application you can write your own custom App-ID for
it. If it is served on a static port or IP, you can create an
Application Override rule for it. Finally, you can allow the unknown
traffic.
In general, if you have an open policy where you allow most
applications, then allowing the unknowns probably makes sense. If you
are trying to create a restrictive policy where you only allow a small
subset of applications, then blocking unknown applications is probably
a better fit. In many environments, we see customers starting out
allowing unknowns and then doing a little investigation on the types
of flows that are showing up as unknown to determine which of the
above options should be chosen for dealing with those flows.
Thanks for your feedback on the dependencies. We will continue down
the path of figuring out a way to make them apparent within the
context of rulebase edits.
Mike
Related Content
- MS RDP via GlobalProtect is not working in some cases in GlobalProtect Discussions
- Traffic getting hits on non-allowed URLs in General Topics
- Palo Alto interfaces in Layer 2 - Portchannel - Log Monitor more details in General Topics
- Move/clone/copy from FW Local Policies to existing Device Groups in General Topics
- Demo Videos of some of the new AIOps 2.5 features in AIOps for NGFW Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks